C9800 WLC webinterface read-only access

pcarlier1 · ‎02-07-2022

Hello all,

Is it in any way possible to grant someone RO access for the entire web interface of a C9800 WLC instead of just the Monitoring tab?

According to the documentation, when you use RADIUS or TACACS+ for authentication then this isn't possible. You would have to give them full access if you would like them to view all config settings in the UI. Giving full access and then limiting the specific commands they can enter also isn't supported. This would still result in read-write access through the GUI.

Is it possible through local authentication though? I can't find any info on this. For the GUI I assume the same restrictions apply as with RADIUS/TACACS+ but I wonder whether is is possible to give a local account permissions to use specific show commands such as ''show running-configuration view full''. I tested it for a RADIUS authenticated user and explicitly allowing this command for the user's priv level still resulted in no output when entering it. Can anyone confirm whether or not it is the same for a local user?

Thank you all in advance for your feedback.

Kasun Bandara · ‎02-07-2022

you should be able to create local users with read only permission.

https://community.cisco.com/t5/wireless/wlc-admin-profiles/td-p/2450945

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Georg Pauwen · ‎02-07-2022

Hello,

I have done some (I think) pretty extensive research, and I think the best you can do when it comes to the Web GUI is the Lobby Ambassador account with read only access. I guess that is what you are referring to when you say 'according to the documentation' ?

Role based CLI access used to be around, not sure if that is available on the 9800 WLC:

https://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html

pcarlier1 · ‎02-07-2022

Hi George,

Yes that is correct.

The customer has requested such a read-only account so they may see the entire config of the WLC we manage.

For RADIUS and TACACS+ it is explicitly stated that this isn't possible but I couldn't find anything regarding local authentication:

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html#anc7

Georg Pauwen · ‎02-08-2022

Hello,

tough one. I could not find any documentation that says you can actually give granular access, no matter what authentication method is used.

The role based access I mentioned earlier doesn't seem to be available on the WLC 9800, it is kind of ancient.

The only thing I could find was Cisco TrustSec, but it only seems to work in conjunction with ISE, so that probably won't do you any good.

Is that just one customer who requests this read only access, for just one WLC ? I am trying to think of an alternative way of achieving that...

pcarlier1 · ‎02-09-2022

Hi George,

I believe this granular access is in some way possible for local accounts. The customer claimed to have been able to view all 9800 tabs back when they used local authentication. I guess by defining a lower level user and then allowing the use of certain commands by way of a series of ''privilege exec ...'' commands which are still configured on the WLC but don't seem to have any effect for a centrally authenticated user.

As far as I know local auth and central auth can't be used simultaneously, local has to be the fallback. So it seems like this isn't an option in our setup.

divanko · ‎03-15-2024

Try This: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/214490-configure-radius-and-tacacs-for-gui-and.html